Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN client and radius or CAR

Hello:

I am trying to setup remote access vpn on IOS router with cisco Radius or CAR.

the vpn client user needs to be authenticated by group id and password, and user id and password.

How should I setup CAR, could someone provides me an example?

I saw this sample, but there is no relationship between user and group.

Any suggestions?

thx

[ //localhost/RADIUS/UserLists/Default/joe-coke ]

Name = joe-coke

Description =

Password = <encrypted>

AllowNullPassword = FALSE

Enabled = TRUE

Group~ =

BaseProfile~ =

AuthenticationScript~ =

AuthorizationScript~ =

UserDefined1 =

[ //localhost/RADIUS/UserLists/Default/group1 ]

Name = group1

Description =

Password = <encrypted> (would be "cisco")

AllowNullPassword = FALSE

Enabled = TRUE

Group~ =

BaseProfile~ = group1profile

AuthenticationScript~ =

AuthorizationScript~ =

UserDefined1 =

Define the group attributes such as pre-shared key, IP address pool name, etc. using Cisco

AV-pairs:

[ //localhost/RADIUS/Profiles/group1profile/Attributes ]

cisco-avpair = ipsec:key-exchange=ike

cisco-avpair = ipsec:tunnel-password=cisco123

cisco-avpair = ipsec:addr-pool=pool1

Service-Type = Outbound

3 REPLIES
Cisco Employee

Re: VPN client and radius or CAR

you can define the group locally on the router to define the values which the client will use to build the tunnel (pre-shared key, etc). The client's username/pw can then be defined within AAA server to allow access to the network once the tunnel has been established.

The link below should show how to setup the group config in IOS and you should change the AAA method to point to radius instead of local to authenticate the client at your AAA server.

http://www.cisco.com/en/US/partner/products/sw/secursw/ps2308/products_configuration_example09186a00801c4246.shtml

New Member

Re: VPN client and radius or CAR

Hi, Jawicks:

Thanks for your reponse, I did group authorization locally on router, that works fine; my questions how to make sure that user in a specific group which setup on Radius side.

I tried to access your URL, but I got page not found, even I logged in.

Thanks,

New Member

Re: VPN client and radius or CAR

hi,

I am using this VSA in IOS 12.4:

"ipsec:user-vpn-grou=

in order to lock the user within this group

older IOS vsa was: "ipsec:group-lock=1"

You can follow this link for more details:

http://www.cisco.com/en/US/docs/ios/12_4/secure/configuration/guide/hunity.html#wp1045269

best regards

344
Views
0
Helpful
3
Replies
CreatePlease login to create content